How WhatsApp encryption works
In November of 2014, the developers of Open Whisper Systems have announced a collaboration with WhatsApp aimed at bringing their system to end-to-end encryption (TextSecure) in the popular mobile messaging app. End-to-end encryption works with a pair of keys: one private and one public. There private key it resides exclusively on our smartphone and is used to decrypt messages received from the outside. There public keyinstead, it is shared with our interlocutor and is used by the latter to encrypt the messages that are delivered to us (and vice versa). In the middle there are the WhatsApp servers, which act as "postmen", that is, they receive encrypted messages (therefore unreadable both for the service managers and for any malicious persons) and deliver them to the recipient's phone.
The great thing about end-to-end encryption is that it all happens at lightning speed and without the user having to lift a finger. The only one potential unknown lies in the actual application of this system. WhatsApp, in fact, is closed source software and it is not possible to know with absolute certainty how it handles messages. The only thing that can be done - and that several scholars have tried to do - is to examine the data traffic of the application with software such as Wireshark (I told you about it in my post on how to sniff a wireless network, remember?) e Yowsup.
Some of these tests, such as the one carried out by Heise in April 2015, showed that end-to-end encryption was only used on the Android version of WhatsApp. The others continued to use an encryption system based on the RC4 algorithm, which only worked on output (thus making messages on WhatsApp servers potentially readable) and has not been considered safe for several months. But now the situation has changed, end-to-end encryption has also arrived on other platforms (iOS, Windows Phone etc.) and covers all the contents conveyed by the app: messages, group chats, videos, photos, etc.
We can therefore say that WhatsApp is reasonably safe; capturing the messages that travel on its servers should be a very difficult undertaking, but it is right to maintain a bit of doubt regarding the inability to thoroughly analyze the application's source code. For more details on end-to-end encryption and its implementation within WhatsApp, please refer to my tutorial on how to encrypt WhatsApp.
How to spy on WhatsApp: social engineering techniques
As we have just said, capturing WhatsApp messages by trying to "sniff" the data that transits on the wireless network used by the smartphone, thanks to end-to-end encryption, is not as easy as it used to be. But there are techniques for spy on WhatsApp, less refined, which can still hit the mark. These techniques provide for physical access to the victim's smartphone and therefore involve the so-called social engineering.
In technical jargon, the expression social engineering refers to all those activities that exploit human psychology to defraud the victim of a cyber attack. This means that an attacker could pretend to be a friend (or in any case reliable) and ask you to borrow your phone for the most trivial of reasons (eg make a phone call) and then poke their nose into your personal data, or in your WhatsApp conversations. .
Here are some examples of a direct attack on WhatsApp that requires physical access to the phone, and therefore an approach through social engineering.
Spy on WhatsApp via WhatsApp Web / Desktop
Web WhatsApp is a service offered free of charge by WhatsApp that allows you to read and send messages from your computer using your smartphone as a "bridge". I explained to you in detail how it works in my tutorial on how to use WhatsApp on PC, where I also told you about the official WhatsApp client for Windows and macOS which works the same way.
To use WhatsApp Web and the official WhatsApp client for computers, just connect to a Web page or open the WhatsApp client and scan a QR code that appears on the computer screen using the appropriate WhatsApp function on the smartphone. After that, if you leave the tick on the option active Stay connected, access to the service occurs automatically every time the smartphone is connected to the Internet.
What is even more important to point out is that the whole it works even if your smartphone and computer are not connected to the same wireless network, this means that the two devices can also be at a considerable distance from each other, the important thing is to have made the first access with the QR code and keeping the check mark on the “Stay connected” option.
What does this mean? It means that an attacker could borrow the phone from the victim under any pretext, after which he could access WhatsApp Web or the WhatsApp client from his notebook (or even from his smartphone / tablet, enabling the desktop view of the site or using apps that are based on WhatsApp Web) and thus gain access to the user's conversations to be spied on.
However, it must be specified that this solution may not be feasible, in the event that the user has set biometric recognition protections on his device, such as unlocking with the face or using the fingerprint. In this specific case, therefore, it is not possible to access Web WhatsApp, without the permission of the device owner.
Spy on WhatsApp by disguising the MAC address
Il MAC address (acronym for Media Access Control) is a 12-digit address that allows you to uniquely identify the network cards in PCs and, more generally, all devices capable of connecting to the Internet, such as smartphones.
By disguising the MAC address of their smartphone, an attacker could "trick" WhatsApp and install a copy of the application on their phone in order to receive all the victim's messages. Fortunately, this is a fairly complex operation that takes a long time to complete, but it is good to know it to avoid that some "crafty" can put it into practice. Below I illustrate the various steps that you should take to disguise the MAC Address of your phone and install a "cloned" copy of WhatsApp.
- As a first step, to disguise the MAC address of your smartphone, you should unlock the operating system with operations such as root on Android or jailbreak on iPhone and install apps suitable for the purpose (eg. SpoofMAC for iPhone and the pairing BusyBox-Mac address ghost for Android).
- Next, any copies of WhatsApp on the device should be removed and prepared to take action.
- The action, in this case, consists in borrowing the smartphone from the person to be spied on and performing these two operations.
- Find out the MAC Address of the device (on Android just go to the menu Settings> About phone> Status, on iPhone in the menu Settings> General> Info> Wi-Fi address).
- Set the MAC Address of the phone to be spied on your smartphone.
- Install WhatsApp on your smartphone and activate it using the victim's phone number (on which the app activation code will then be delivered).
Spy on WhatsApp using the victim's phone number
Some sites suggest that spy on WhatsApp by installing a copy of the app on their phone and having their activation code delivered to the victim's smartphone (which therefore must be temporarily at hand).
This technique does not work, or rather, it does not work for long as WhatsApp allows you to associate phone numbers with only one device at a time. This means that by activating two smartphones with the same mobile number, the first one stops working and the victim - fortunately - immediately realizes the unauthorized use of their account.
Spy on WhatsApp with parental control apps and spy apps
On the market there are many apps for parental control, almost always for a fee but with free trial versions, which allow you to monitor the activities carried out on a smartphone, control the phone remotely and capture screenshots remotely. Well, some of them could also be exploited for unlawful purposes and used to spy on messages exchanged on WhatsApp or other messaging systems.
Among the most effective and easy to use parental control applications currently available on the market I would like to point out Qustodio for Android and iOS e Screen Time which is also available for Android and iOS. Both of these apps, once installed on the victim's smartphone, allow you to know if and when the victim accesses WhatsApp and allow you to block or limit the use of the app remotely. They do not allow you to directly capture the conversations exchanged within the service, but they include other features that are very invasive for privacy.
Even more dangerous from a WhatsApp perspective are the spy apps, that is, applications designed exclusively to spy on the victim's smartphone, which are completely invisible and also allow you to pick up messages typed on the phone keypad.
Among the most popular spy apps at the moment is iKeyMonitor which is compatible with both Android and iPhone, but fortunately it is quite difficult to set up and, above all, it is quite expensive as it costs 22,49 $ / month (after 3 days free trial).
To learn more about Qustodio, Screen Time and other applications that can be used for spying purposes, check out my posts on how to spy on a cellphone and how to spy on Android cellphones.
App to monitor access to WhatsApp
They cannot be properly defined apps to spy on WhatsApp, but know that there are also applications that allow you to Monitor gli accessi to WhatsApp by a user, noting the times of the last connections to the service and the time spent inside it. These are particularly “unpleasant” solutions as they work remotely and do not require access to the victim's smartphone (in fact they use public data provided by WhatsApp and therefore cannot be properly defined as a spy app).
How to protect yourself from spies
After doing this "scary" roundup on the most popular spying techniques for WhatsApp conversations, let's see some practical advice on how to defend yourself from meddlers. These are simple common sense rules to follow to avoid identity theft and other unpleasant surprises (not necessarily related to WhatsApp).
- Use a secure PIN - the first piece of advice I would like to give you is to use a secure PIN to unlock the smartphone lock screen (no, 1111 and 1234 are not secure PINs!). You can change the PIN very easily using the settings menu of your smartphone.
- Android - Settings> Security> Screen lock> PIN (or Pattern if you prefer to use a gesture instead of the numeric PIN).
- iPhone - Settings> Touch ID and Code> Change code.
- Disable SMS in the lock screen - if you want to avoid the risk that some attacker activates a "cloned" copy of WhatsApp by delivering a confirmation SMS to your smartphone, disable the display of SMS on the lock screen (in this way, any attacker must have full access to the smartphone to carry out his plan and will not be able to do so with the phone locked).
- Android - Settings> Security> Screen lock> PIN. After setting the PIN you can choose whether not to show notifications at all (for any app) or whether to hide only sensitive content. If you choose this second option, you can only disable the display of SMS in the lock screen.
- iPhone - Settings> Notifications> Messages> uncheck the Show in "Lock screen" option.
- Check your WhatsApp Web sessions - as we have seen previously, it is possible to violate the privacy of WhatsApp users by activating the WhatsApp Web service "illegally". If you are concerned that someone may have carried out such an operation against you, check the active WhatsApp Web sessions for your account and, if you find any suspicious ones, deactivate them. To check the WhatsApp Web sessions open for your account, go to the Settings> WhatsApp Web / Desktop menu. To deactivate them all, however, first press the button Log out of all computers and then Disconnect.
- Reactivate your account immediately in case of deactivation - if someone activated a second copy of WhatsApp using your number, the service will stop working on your smartphone. If suddenly your account is deactivated, proceed to activate it again and contact WhatsApp support at firstname.lastname@example.org to report that they probably want to steal your identity.
- Don't use spy software - many spy apps are advertised on the Internet that promise to capture all WhatsApp messages. There are very few that really work. In most cases, these are pretty good scams, or even malware aimed at stealing user data for unlawful purposes. Try to stay away from them!
- Don't lend your smartphone to the first one that comes along - this advice could also be given to us by our grandmothers, but it is always better to reiterate certain concepts!
ATTENTION: this guide was written for illustrative purposes only. Spying on other people's conversations is a crime punishable by law, so I take no responsibility for how you will use the information contained in the article.